modules/nodeperm_role/nodeperm_role.module

<?php
// $Id: nodeperm_role.module,v 1.9 2006/06/09 15:06:05 robb Exp $
// Original implementation by Jonathan Chaffer.
// Current maintainer Robb Canfield from 2005/12/01 forward


/**
 * History
 *  Date: 2006-06-10
 *    - Changed matrix theme delimiter to a constant and added documentation
 *    - Settings code rewritten to use hook_menu. hook_settings cannot handle custom submit code
 *
 *  Date: 2006-06-10
 *    - Workflow support added but not fully tested
 *    - Added new form elements for creating a matrix
 *
 *  Date: 2006-06-08
 *    - ALPHA quality code
 *    - Converted code to 4.7 (forms API)
 *    - Depreciated code (search for /^#/) that handled restoring states - 4.7 does this proprerly now
 *    - Scheduled for depreciation the option to only handle edit operations
 *      - Handleing view operations add no appreciable processing overhead. The code to show/hide view permissions
 *      is a complication that is uneeded.
 *    - Modified some form descriptions to make things clearer
 *    - Workflow Action method has been disabled until a future date
 *    -- action_node_assign_role_perms() --> XXX_action_node_assign_role_perms()
 */

/**
 * Implementation of hook_help().
 */
function nodeperm_role_help($section) {
  switch ($section) {
    case 'admin/modules#description':
      return t('Grants access to nodes based on users\' roles. After enabling/disabling this module you must go to <a href="%nodeperm_role_settings_url">admin/settings/nodeperm_role</a>.', array('%nodeperm_role_settings_url' => url('admin/settings/nodeperm_role')));
    case 'admin/settings/nodeperm_role':
      return t('It is strongly recommended that you back up your database before changing these options! Specifically, your node_access table will be altered.');
  }
}

/**
 * Implementation of hook_menu().
 */
function nodeperm_role_menu($may_cache) {
  $items = array();

  if (! $may_cache) {
    $items[] = array(
      'path'      => 'admin/settings/nodeperm_role',
      'title'     => 'Nodeperm Role Settings',
      'access'    => user_access('administer nodes'),
      'callback'  => 'nodeperm_role_configure',
    );
  }

  return $items;
}

/**
 * Implementation of hook_perm().
 */
function nodeperm_role_perm() {
  return array('edit own node permissions');
}

/**
 * Implementation of hook_node_grants().
 *
 * Since we are restricting access based on user role, all we have to do is return
 * the user's role IDs.
 */
function nodeperm_role_node_grants($user, $op) {
  return array('nodeperm_role' => array_keys($user->roles));
}

/**
 * Triggered by hook_menu code. Cannot use normal hook_settings since this form is a tad more complex than supported by hook_settings
 */
function nodeperm_role_configure() {
  $form = array();

  drupal_set_title(t('Role-based Node Permissions'));

  $status = t('disabled');
  $btn_text = t('Enable');
  if (variable_get('nodeperm_role_enabled', 1)) {
    $status = t('enabled');
    $btn_text = t('Disable');
  }

  $form['module_status'] = array(
    '#type' => 'fieldset',
    '#title' => t('Module status'),
    '#collapsible' => FALSE,
    '#collapsed' => FALSE,
  );

  $form['module_status']['op'] = array(
    '#type' => 'submit',
    '#value' => $btn_text,
    '#description' => t('Role-based node permissions are currently') . ' ' . $status . '.<br />',
    '#title'  => t('Module status'),
  );

  $form['module_status']['cleanup'] = array(
    '#type' => 'submit',
    '#value' => 'Repair',
    '#description' => t('Sometimes the node_access table can get out of sync. Click on this button to synchronize the node_access table.'),
    '#title'  => t('Cleanup node access table'),
  );
 

  $form['permissions_model'] = array(
    '#type' => 'fieldset',
    '#title' => t('Permissions model'),
    '#description' => '',
    '#collapsible' => FALSE,
    '#collapsed' => FALSE,
  );

  $form['permissions_model']['nodeperm_role_mode'] = array(
    '#type' => 'radios',
    '#title' => t('Operations to control'),
    '#default_value' => variable_get('nodeperm_role_mode', 0),    # 0 = view and edit, 1 = edit only
    '#options' => array(
      '0' => t('Allow both view and edit based permissions to be controlled.'),
      '1' => t('Only allow edit based permissions to be adjusted (view will use Drupal default). <b>WARNING: Scheduled for depreciation</b>.'),
    ),
  );

// This section is DEPRECIATED 
//  - 4.7 appears to preserve flags and author when content is edited (YEA)
//  - It has been converted to 4.7 forms control as an excersie (and works).
# // Create the node options preservation table.
# $form['editing_options'] = array(
#   '#type' => 'fieldset',
#   '#title' => t('Editing options'),
#   '#description' => t('<div id="help">Drupal\'s default behavior is to reset options to their <a href="%default-options-link">defaults</a> when a node is edited. Change this behavior by indicating which options will be preserved when a user edits a node they don\'t own. Users with &quot;administer nodes&quot; permission may override these settings within the node form. </div>', array('%default-options-link' => url('admin/node/configure/types'))),
#   '#collapsible' => FALSE,
#   '#collapsed' => FALSE,
# );

# // The various flags used by nodes
# $edit_settings = array('publish' => 'node_status_edit_', 'promote' => 'node_promote_edit_', 'moderate' => 'node_moderate_edit_', 'sticky' => 'node_sticky_edit_');
# $form['editing_options']['matrix'] = array(
#   '#type'   => 'crg_formtable',
#   '#header' => array_merge(array(t('type')), array_keys($edit_settings)),
# );
# foreach (node_get_types() as $type => $name) {
#   $cols = array();

#   // Build a fake node so the mdoule associated witht he node can return the node's title
#   $node = new StdClass();
#   $node->type = $type;

#   // Set row title to module name
#   $cols[] = array(
#     '#value'    => node_get_name($node),
#   );

#   foreach ($edit_settings as $option => $varname) {
#     $varname = $varname. $type;
#     $cols[] = array(
#       '#name'           => $varname,
#       '#type'           => 'checkbox',
#       '#title'          => '',
#       '#default_value'  => 1,
#       '#required'       => FALSE,
#       '#return_value'   => (variable_get($varname, 0)) ? TRUE : FALSE,
#       '#attributes'     => array(
#         'align' => 'center', 
#         'width' => 55,
#       ),
#     );
#   }

#   $form['editing_options']['matrix']['#rows'][] = $cols;
# }


  // CRG : Add an advanced option that will allow for incremental changes to access instead of replacement changes
  $form['advanced'] = array(
    '#type' => 'fieldset',
    '#title' => t('Advanced options'),
    '#collapsible' => FALSE,
    '#collapsed' => FALSE,
  );
  $form['advanced']['nodeperm_role_inherit'] = array(
    '#type'         => 'checkbox',
    '#title'        => t("Allow incremental per-role settings"),
    '#description'  => t('Allow worflow actions to inherit, remove or set permissions for roles. Inheriting means any existing permissions for this role are retained by this action. Only applicable if the Workflow module is loaded.'),
    '#default_value'=> variable_get('nodeperm_role_inherit', 0),
  );

  $form['op'] = array(
    '#type'         => 'submit',
    '#value'        => t('Save changes'),
  );

  # Call form buidler
  return drupal_get_form('nodeperm_role_config', $form);
}

/**
 * Implementation of hook_form_submit()
 */
function nodeperm_role_config_submit($form_id, $form_values) {

  $queries = array();
  $op = $_POST['op'];

  # Activate/deactive and clean up node_access table
  if ($op == t('Enable')) {
    variable_set('nodeperm_role_enabled', 1);
    $queries[] = 'DELETE FROM {node_access} WHERE nid = 0 AND realm = "all"';
    drupal_set_message(t('Role-based node permissions are now enabled'));
  }
  elseif ($op == t('Disable')) {
    variable_set('nodeperm_role_enabled', 0);
    $queries[] = 'DELETE FROM {node_access} WHERE nid = 0 AND realm = "all"';
    $queries[] = 'INSERT INTO {node_access} (nid, gid, realm, grant_view, grant_update, grant_delete) VALUES (0, 0, "all", 1, 0, 0)';
    drupal_set_message(t('Role-based node permissions are now disabled'));
  }
  
  # Always syncronize node_access table (repair)
  if (variable_get('nodeperm_role_mode', 0) == 0) { // Edit perms only
    if (db_result(db_query('SELECT COUNT(nid) FROM {node_access} WHERE realm = "all" AND nid = 0'))) {
      $queries[] = 'DELETE FROM {node_access} WHERE nid = 0 AND realm = "all"';
    }
  }
  else { // View and edit perms
    if (db_result(db_query('SELECT COUNT(nid) FROM {node_access} WHERE nid = 0 AND realm = "all" AND grant_view = 1')) == 0) {
      $queries[] = 'DELETE FROM {node_access} WHERE nid = 0 AND realm = "all"';
      $queries[] = 'INSERT INTO {node_access} (nid, gid, realm, grant_view, grant_update, grant_delete) VALUES (0, 0, "all", 1, 0, 0)';
    }
    if (db_result(db_query('SELECT COUNT(nid) FROM {node_access} WHERE realm = "nodeperm_role" AND grant_update = 0'))) {
      $queries[] = 'DELETE FROM {node_access} WHERE realm = "nodeperm_role" AND grant_update = 0';
    }
  }

  // Save variables - form was NOT a tree so do not use hierarchial names
  variable_set('nodeperm_role_inherit', $form_values['nodeperm_role_inherit']);
  variable_set('nodeperm_role_mode', $form_values['nodeperm_role_mode']);
  
  $queries = array_unique($queries);
  if (count($queries)) {
    drupal_set_message(t('The following queries were run to optimize the node_access table:'));
    foreach ($queries as $query) {
      db_query($query);
      drupal_set_message($query);
    }
  } else
  {
    drupal_set_message("No problems found in SQL tables");
  }
}


/**
 * Implemention of hook_form_alter
 *
 * A role view/edit section is added to the existing form (in its own section) if the form passed
 * is node related.
 *
 */

function nodeperm_role_form_alter($form_id, &$form) {
  // Only intercept NODE related forms
  if (isset($form['type']) && $form['type']['#value'] .'_node_form' == $form_id) {
    // Allow node authors and admins to set view/edit permissions.
    if (user_access('edit own node permissions') || user_access('administer nodes')) {
      $node = $form['#node'];       // Gain easy access to node data

      if (!isset($node->nodeperm_role_view)) {
        $edit = $_POST['edit'];
        // Load the node access grants from the database.
        $node->nodeperm_role_view = nodeperm_role_load_view($node->nid);
        $node->nodeperm_role_edit = nodeperm_role_load_edit($node->nid);
      }
      $roles = user_roles();
      $roles[-1] = t('none');
      ksort($roles);

      // Create a new section for ndoeperm roles
      //  - Note : The only way to control WHERE this form section appears is to intercept the theme code for a node. For this case that is not worth the effort
      $form['role_permissions'] = array(
        '#type'         => 'fieldset',
        '#title'        => 'Additonal role permissions',
        '#description'  => 'Allow other roles to access this node',
        '#collapsible'  => 1,
        '#collapsed'    => 1,
      );

      if (variable_get('nodeperm_role_mode', 0) == 0) {
        // If view is being controlled by nodeperm_role then display view selection
        $form['role_permissions']['nodeperm_role_view'] = array(
          '#title'          => t('Roles that can view'),
          '#default_value'  => ($edit['nodeperm_role_view']) ? $edit['nodeperm_role_view'] : $node->nodeperm_role_view,
          '#type'           => 'select',
          '#options'        => $roles,
          '#description'    => t('Select other roles that may view your post.'),
          '#multiple'       => True,
          '#rows'           => 5,
        );
      }
      // Edit is always under the control of nodeperm_role
      $form['role_permissions']['nodeperm_role_edit'] = array(
        '#title'          => t('Roles that can edit'),
        '#default_value'  => ($edit['nodeperm_role_edit']) ? $edit['nodeperm_role_edit'] : $node->nodeperm_role_edit,
        '#type'           => 'select',
        '#options'        => $roles,
        '#description'    => t('Select other roles that may edit your post.'),
        '#multiple'       => True,
        '#rows'           => 5,
      );

    }
  }

  # No return value needed, the passed $form array is modified in-place as apropriate
}

/**
 * Implementation of hook_nodeapi().
 *
 */
function nodeperm_role_nodeapi(&$node, $op, $arg = 0) {
  switch ($op) {

//    DEPRECIATED - anomly referenced below has been fixed in 4.7
#   case 'validate':
#     global $user;
#     // A batch of special cases for group members who are editing a node, not
#     // the original author, and don't have administer nodes permission.
#     if ($_POST['op'] == t('Submit') && $node->nid && !user_access('administer nodes')) {
#       // Drupal has this nasty bug that assumes the editor is also the author
#       // and assigns complete authorship to the editor. See here for more details:
#       // http://drupal.org/node/11071
#       $old_node = db_fetch_object(db_query('SELECT uid, status, promote, sticky, moderate FROM {node} WHERE nid = %d', $node->nid));

#       if ($node->uid != $old_node->uid) {
#         $node->uid = $old_node->uid;
#         // Determine if the settings are preserved during group editing. There
#         // is also a patch for this here: http://drupal.org/node/7940
#         $node->status   = (variable_get("node_status_edit_$node->type", 1)) ? $old_node->status : variable_get("node_status_$node->type", 1);
#         $node->promote  = (variable_get("node_promote_edit_$node->type", 1)) ? $old_node->promote : variable_get("node_promote_$node->type", 1);
#         $node->sticky   = (variable_get("node_sticky_edit_$node->type", 1)) ? $old_node->sticky : variable_get("node_sticky_$node->type", 0);
#         $node->moderate = (variable_get("node_moderate_edit_$node->type", 1)) ? $old_node->moderate : variable_get("node_moderate_$node->type", 0);
#       }
#     }
#     break;


    case 'delete':
      // When a node is deleted, delete any relevant grants.
      db_query("DELETE FROM {node_access} WHERE nid = %d AND realm = 'nodeperm_role'", $node->nid);
      break;

    case 'insert':
    case 'update':
      if ((user_access('edit own node permissions') || user_access('administer nodes')) && ($node->nodeperm_role_view || $node->nodeperm_role_edit)) {
        nodeperm_save($node);
      }
      break;
  }
}

/**
 * Save node permissions by writing them to the database.
 */
function nodeperm_save($node) {
  // If either of the special array are set then update node_access.
  if (is_array($node->nodeperm_role_view) || is_array($node->nodeperm_role_edit)) {
    $roles = nodeperm_get_roles();
    db_query("DELETE FROM {node_access} WHERE nid = %d AND realm = 'nodeperm_role'", $node->nid);
    $grants = array();

    // Get current node permissions
    $node->nodeperm_role_view = isset($node->nodeperm_role_view) ? $node->nodeperm_role_view : array();
    $node->nodeperm_role_edit = isset($node->nodeperm_role_edit) ? $node->nodeperm_role_edit : array();

    /* A rid of -1 means that the user doesn't want anybody else to edit their entry. */
    foreach ($node->nodeperm_role_view as $rid) {
      if ($rid != -1) {
        $grants[$rid]['view'] = 1;
      }
    }
    foreach ($node->nodeperm_role_edit as $rid) {
      if ($rid != -1) {
        $grants[$rid]['view'] = 1;
        $grants[$rid]['edit'] = 1;
      }
    }

    foreach ($grants as $rid => $grant) {
      // Optimize the node access table. If all permissions are FALSE then do not bother adding it (deny is the default)
      //  - In theory reducing node access rows will improve performance
      //  - Note that edit permission is also used for delete permission
      if ($grant['view'] || $grant['edit']) {
        // %d format control will auto-convert undefined values to 0 which is what is desired
        db_query('INSERT INTO {node_access} (nid, gid, realm, grant_view, grant_update, grant_delete) VALUES (%d, %d, \'nodeperm_role\', %d, %d, %d)', $node->nid, $rid, $grant['view'], $grant['edit'], $grant['edit']);
        if ($grant['view']) {
          $rnames_view[] = $roles[$rid];
        }
        if ($grant['edit']) {
          $rnames_edit[] = $roles[$rid];
        }
      }
    }
    if ($rnames_view) {
      watchdog('action', t('Changed role view permissions of node %nid to <em>%rnames</em>', array('%nid' => $node->nid, '%rnames' => implode(', ', $rnames_view))));
    }
    if ($rnames_edit) {
      watchdog('action', t('Changed role edit permissions of node %nid to <em>%rnames</em>', array('%nid' => $node->nid, '%rnames' => implode(', ', $rnames_edit))));
    }
  }
}


function nodeperm_role_load_view($nid) {
  $result = db_query("SELECT na.gid FROM {node_access} na WHERE na.nid = %d AND na.realm = 'nodeperm_role' AND na.grant_view = 1", $nid);
  $nodeperm_role_view = array();
  while ($grant = db_fetch_object($result)) {
    $nodeperm_role_view[] = $grant->gid;
  }

  return $nodeperm_role_view;
}

function nodeperm_role_load_edit($nid) {
  $result = db_query("SELECT na.gid FROM {node_access} na WHERE na.nid = %d AND na.realm = 'nodeperm_role' AND na.grant_update = 1", $nid);
  $nodeperm_role_edit = array();
  while ($grant = db_fetch_object($result)) {
    $nodeperm_role_edit[] = $grant->gid;
  }

  return $nodeperm_role_edit;
}

function nodeperm_get_roles($none = False) {
  static $roles;

  if (!$roles) {
    $result = db_query("SELECT rid, name FROM {role} ORDER BY name");
    while ($data = db_fetch_object($result)) {
      $roles[$data->rid] = $data->name;
    }
  }

  return $roles;
}

/**
 * Implementation of a Drupal action.
 * Alters node level role permissions for a node.
 *
 * If advanced inheritence flag is set then this action supports set/remove/inherit logic. This is the only
 * place such code exists. Inheritence does not make any sense when a node is being edited as there is nothing
 * to inherit from!
 */
function action_node_assign_role_perms($op, &$edit, &$node) {
  // Set some common values, used by many operations

  // *** From module settings
  $advanced_form_name = 'nodeperm_role_inherit';
  $is_advanced_form = variable_get($advanced_form_name, 0);
  // True if view permission is being maintained
  $is_view = variable_get('nodeperm_role_mode', 0) == 0;      


  // Handle operation
  switch($op) {
    case 'metadata':
      return array(
        'description' => t('Change role-based permissions'),
        'type' => t('Node'),
        'batchable' => false,
        'configurable' => true,
      );
      break;

    case 'do':
      // If node contains nodeperm settings use them, otherwise fetch them
      //  - In most cases the data will not exist, but allow for it in case others have done some modifications
      //  - Only bother getting values if advanced flag is set
      //  - Make sure defaults are initialized to arrays
      //  - When done each element contains the role IDs currently granted the specific permission
      $default['view'] = array();
      $default['edit'] = array();

      if ($is_advanced_form) {
        // Avoid grabbing view permissions if this has been deactivated
        if ($is_view) {
          if (is_array($node->nodeperm_role_view)) {
            $default['view'] = $node->nodeperm_role_view;
          } 
          else {
            $default['view'] = nodeperm_role_load_view($node->nid);
          }
        }
        // edit (aka update) (also used for delete) is always grabbed
        if (is_array($node->nodeperm_role_edit)) {
          $default['edit'] = $node->nodeperm_role_edit;
        } 
        else {
          $default['edit'] = nodeperm_role_load_view($node->nid);
        }
      } // End of inheritence support check
            
      // Loop through parameters passed via edit[]
      // Handle new style inheritance settings in a way that is compatible with the old
      //  - A teeny bit slower then original code but of little consequence for actions as they fire rarely (as compared to reads) in all but VERY extreme cases
      $grants = array('view' => array(), 'edit' => array());      // Initialize final result set

      foreach (nodeperm_get_roles() as $rid => $role_name) {
        // Loop through each permission
        foreach (nodeperm_role_perms() as $p) {
          $set_name = 'nodeperm_role_'. $p;                     // Name of element holding rids that have explicit permissions
          $inherit_name = 'nodeperm_role_'. $p . '_inherit';    // Name of element holding rids that inherit

          if (in_array($rid, $edit[$set_name])) {
            // permissions was explicitly specified for this role
            $grants[$p][] = $rid;
          }
          elseif(in_array($rid, $edit[$inherit_name])) {
            // permissions is inherited. If this rid is in default set then add it to result set
            if (in_array($rid, $default[$p])) {
              $grants[$p][] = $rid;
            }
          }
          // else denial is assumed (does not appear in an array)
        }
      }

      // Add back into node and save nodeperm data
      if (variable_get('nodeperm_role_mode', 0) == 0) {
        $node->nodeperm_role_view = $grants['view'];
      }
      $node->nodeperm_role_edit = $grants['edit'];

      // Data is now in normal nodeperm format:
      //  nodeperm_role_view = array of rids granted view
      //  nodeperm_role_edit = array of rids granted edit
      nodeperm_save($node);
      break;

    case 'form':
      // add form components
      $roles = nodeperm_get_roles();
      $roles[-1] = t('none');
      ksort($roles);
      $output = '';

      // Get available permisisons, often used as a suffix for array keys
      $perms = nodeperm_role_perms();


      // Make sure elements are initialized
      foreach (array('', '_inherit') as $type) {
        foreach ($perms as $p) {
          $name = 'nodeperm_role_' . $p . $type;
          if (! $edit[$name]) {
            $edit[$name] = array();
          }
        }
      }

      // Remember the type of form being generated
      //  - Use a different name so detection between re-display and initial display is possible
      $form = array();
      $form[$advanced_form_name] = array(
        '#type'     => 'hidden',
        '#value'    => $is_advanced_form,
      );
      
      if ($is_advanced_form) {
        // Support the advanced permission handling
        //  - There is no preview so this check is probably not needed but do it anyway for completeness
        if (! array_key_exists('nodeperm_role_form_type', $edit)) {
          // Convert an array or roles to applicable options
          // actions saves paramater data in $edit[] (same as CGI which normally makes it easy to transition between the two but doesn't help much now)
          //  - This is NOT blazing fast but for the very few times it will be triggered (defining an action) it is fine
          foreach ( nodeperm_get_roles() as $rid => $role_name) {
            // Loop through each permission
            foreach ($perms as $p) {
              $cgi_name = 'nodeperm_role_'. $p .'_' . $rid;
              if (in_array($rid, $edit['nodeperm_role_' . $p])) {
                $edit[$cgi_name] = '1';
              }
              elseif($edit['nodeperm_role_' . $p . '_inherit'] && in_array($rid, $edit['nodeperm_role_' . $p . '_inherit'])) {
                $edit[$cgi_name] = '-';
              } else {
                // Assume denial
                $edit[$cgi_name] = '0';
              }
            }
          }
        }

        $form['advanced'] = array(
          '#type'         => 'fieldset',
          '#title'        => t('Advanced role permissions'),
          '#description'  => t("For each role select '-' to retain exsiting permission (no change) or 'Y' to grant permission or 'N' to deny permission"),
          '#collapsible' => FALSE,
          '#collapsed' => FALSE,
        );

        $columns = array();

        $form['advanced']['perms'] = array(
          '#type'       => 'matrix',
          '#header'     => array_merge(array('role'), $perms),
        );


        # Build each row
        $row_count = 1;
        foreach ( nodeperm_get_roles() as $rid => $role_name) {
          $cols = array();

          # Add role name
          $cols['role'] = array(
            '#value'    => $role_name,
          );
          
          // Select field for each permission
          foreach ($perms as $p) {
            // Each select field
            //  - Name is manually created since there is no key for this element (using simplfied matrix form)
            $cgi_name = 'nodeperm_role_'. $p .'_' . $rid;
            $cols[$cgi_name] = array(
              '#type'           => 'select',
              '#default_value'  => $edit[$cgi_name],
              '#options'        => array(
                '-'   => '-',
                '0'   => t('N'),
                '1'   => t('Y'),
              ),
            );
          }

          // Add the new row
          $form['advanced']['perms']['#rows'][] = $cols;
        }
      } else {
        // Simplified interface
        if (variable_get('nodeperm_role_mode', 0) == 0) {
          $form['nodeperm_role_view'] = array(
            '#type'           => 'select',
            '#title'          => t('Roles that may view the node'),
            '#default_value'  => $edit['nodeperm_role_view'],
            '#description'    => t('Select the roles that will be able to view the node.'),
            '#options'        => $roles,
          );
        }
        $form['nodeperm_role_view'] = array(
          '#type'           => 'select',
          '#title'          => t('Roles that may edit the node'),
          '#default_value'  => $edit['nodeperm_role_edit'],
          '#description'    => t('Select the roles that will be able to edit the node.'),
          '#options'        => $roles,
        );
      }
#drupal_set_message("<pre>". print_r($form,1).'</pre>');
      return $form;
      break;


    case 'validate':
      $errors = array();

      // Validation only applies to simple interface
      if (! $edit[$advanced_form_name]) {
        if (!$edit['nodeperm_role_edit'] && $edit['nodeperm_role_view']) {
          $errors['nodeperm_role_edit'] = t('Please choose the role(s) to transition to.');
        }

        foreach ((array) $edit['nodeperm_role_view'] as $key => $rid) {
          $edit['nodeperm_role_view'][$key] = $rid;
        }
        foreach ((array) $edit['nodeperm_role_edit'] as $key => $rid) {
          // CRG: view and edit can be different, allow this since other node access modules will be working with this one
          //  $edit['nodeperm_role_view'][$key] = $rid;
          $edit['nodeperm_role_edit'][$key] = $rid;
        }
      }

      foreach ($errors as $name => $message) {
        form_set_error($name, $message);
      }

      return count($errors) == 0;
      break;

    // process the HTML form to store configuration
    case 'submit':
      if ($edit[$advanced_form_name]) {
        // If the new interface then translate the advanced settings into the old style
        //  nodeperm_role_view_inherit - List of roles that inherit the view permission
        //  nodeperm_role_edit_inherit - List of roles that inherit the edit permission
        $params = array(
          'nodeperm_role_edit' => array(),
          'nodeperm_role_view' => array(),
          'nodeperm_role_edit_inherit' => array(),
          'nodeperm_role_view_inherit' => array()
        );

        foreach ( nodeperm_get_roles() as $rid => $role_name) {
          // Loop through each permission - simular code as in 'form' but different enough to make factor hardly worth the effort
          $perms = nodeperm_role_perms();
          foreach ($perms as $p) {
            $cgi_name = 'nodeperm_role_'. $p .'_' . $rid;     // Name of CGI form data
            $param_name = 'nodeperm_role_' . $p;              // Paramater name to save rid in
            if ($edit[$cgi_name]) {
              switch ($edit[$cgi_name]) {
                case '1':
                  $params[$param_name][] = $rid;
                  break;

                case '-':
                  $params[$param_name . '_inherit'][] = $rid;
                  break;

                // N is assumed if not in either array
              }
            }

          } // end of loop through permissions
        } // End of loop through roles
      }
      else {
        // Old (simple) non-inheritance form data
        // Inherit arrays are cleared just in case this is a transition from advanced to simple
        $params = array(
          'nodeperm_role_edit' => $edit['nodeperm_role_edit'],
          'nodeperm_role_view' => $edit['nodeperm_role_view'],
          'nodeperm_role_edit_inherit' => array(),
          'nodeperm_role_view_inherit' => array());
      }
      return $params;
      break;
    }
}

/*
 * Returns an array of permissions that are being used.
 *
 * Note that internall the code refers to the update grant as 'edit'.
 * This was retained during addition of inheritence code.
 *
 */

function nodeperm_role_perms() {
  if (variable_get('nodeperm_role_mode', 0) == 0) {
    // Some think permissions slow things down but I have my doubts (CRG) since permissions are all on a single row in node_access
    //  XXX If TRUE then always return view/edit
    return array('view', 'edit');
  }
  else {
    return array('edit');
  }
}

/*
 * matrix theme overview
 *
 * The matrix theme is simple to use but a major task to implement. It allows form elements
 * to be wrapped into a matrix (which is normally rendered as a table). This should be used
 * only for cases where the input is matrix based. For pure visual arangement a theme
 * is recomended (see http://drupal.org/node/47582).
 *
 * There are 4 new form elements. The [] indicate a key of some name
 *  - matrix : The master object to wrap all others
 *  -- #rows : Array of rows instead of using matrix_row elements (optional, if used DO NOT use matrix_row elements)
 *  -- #header : An array of header cells (like #rows) but replace matrix_head elements (optional, if used DO NOT use matrix_row elements)
 *  -- #caption : caption for table
 *  -- #attributes : HTML attributes to apply to the table
 *  -- [] matrix_head : Use this for a header, use only one of these (or none)
 *  --- #cells : Array of cells instead of using matrix_cell elements (optional, if used DO NOT use matrix_cell elements)
 *  --- There are HTML atributes for this element
 *  --- [] matrix_cell : The cell wraper
 *  ---- '#field' : Used for 'sort' key by theme('table') header processing (optional)
 *  ---- '#sort' : Used for 'sort' key by theme('table') header processing (optional)
 *  ---- '#attributes' = Array of HTML elements for the cell (optional)
 *  ---- [] form array : one per matrix_cell of standard form element
 *  -- [] matrix_row : One row for each row in the matrix
 *  --- #cells : Array of cells instead of using matrix_cell elements (optional, if used DO NOT use matrix_cell elements)
 *  --- '#attributes' = Array of HTML elements for the row (optional)
 *  --- [] matrix_cell : The cell wraper
 *  ---- '#attributes' = Array of HTML elements for the cell (optional)
 *  ---- [] form array : one per matrix_cell of standard form element
 *
 * During initial form building the following shortcuts will expand to a full hierarchial form. Processed
 * in the following order
 *  - matrix_table
 *    - #header : Will create a new element 'row_x' with type '#matrix_head' and all elements placed into '#cells' of that row
 *    - #row : Assumed to be a 2 deimensional array. Will create a new element 'row_x' matrix_row for each element in #rows and within each of those will create a '#cells' entry
 *    - For every non-matrix_row/head entry found will wrap it in a matrix_row element
 *    - WARNINGS:
 *      - Combining #header with normal matrix_head elements is allowed but can get confusing
 *      - Combining #rows with normal matrix_row elements is allowed but can get confusing
 *  - matrix_row/head
 *    - #cells : Will wrap each element in a matrix_cell array. The key will be retaiuned if the array key is non-numeric
 *    - For every non-matrix_cell entry found will wrap it in a matrix_row element, retains the existing key
 *    - WARNINGS:
 *      - Combining the #cells element with normal matrix_cell elements is allowed but can get confusing
 *      - The last matrix_head element encountered is used by the  table, all prior onces are ignored
 *  - matrix_cell
 *    - No special processing
 *    
 *
 * The fully epanded form is rather cumbersome, but very flexible. A simple 2x2 matrix follows (using just the defualt #markup type for a form)
 *  $form['table'] = array('#type' => 'matrix');
 *  $form['table']['row1'] = array('#type' => 'matrix_row');
 *  $form['table']['row1']['col1'] = array('#type' => 'matrix_cell');
 *  $form['table']['row1']['col1']['r1c1'] = array('#value' => 'r1 c1');
 *  $form['table']['row1']['col2'] = array('#type' => 'matrix_cell');
 *  $form['table']['row1']['col2']['r1c2'] = array('#value' => 'r1 c2');
 *  $form['table']['row2'] = array('#type' => 'matrix_row');
 *  $form['table']['row2']['col1'] = array('#type' => 'matrix_cell');
 *  $form['table']['row2']['col1']['r2c1'] = array('#value' => 'r2 c1');
 *  $form['table']['row2']['col2'] = array('#type' => 'matrix_cell');
 *  $form['table']['row2']['col2']['r2c12] = array('#value' => 'r2 c2');
 *
 * The matrix supports a number of shortcuts to make things easier! The matrix will automatically adjust the form to be in the above
 * hierarchy format so everything works as expected.
 *
 * The per-cell wrapper can be eliminated. This makes our 2x2 matrix a bit easier to define. We do loose tha ability to customize
 * each cell:
 *  $form['table'] = array('#type' => 'matrix');
 *  $form['table']['row1'] = array('#type' => 'matrix_row');
 *  $form['table']['row1']['r1c1'] = array('#value' => 'r1 c1');
 *  $form['table']['row1']'r1c2'] = array('#value' => 'r1 c2');
 *  $form['table']['row2'] = array('#type' => 'matrix_row');
 *  $form['table']['row2']['r2c1'] = array('#value' => 'r2 c1');
 *  $form['table']['row2']['r2c12] = array('#value' => 'r2 c2');
 *
 * The matrix_row can be dropped and an array saved in the base matrix #row element can be used. In this example
 * I also used the shortcut from above. You can of course define the full matrix_col structure if you wish. I
 * find myself using this convention quit a lot in code. It's a nice compromise between flexibility and easy
 * of use. Only the discrete control over indvidual cell attributes are lost.
 *  $form['table'] = array('#type' => 'matrix');
 *  $form['table']['#rows']= array(
 *    array('col1' => array('#value' => 'r1 c1'), array('col2' => array('#value' => 'r1 c2')),
 *    array('col1' => array('#value' => 'r2 c1'), array('col2' => array('#value' => 'r2 c2')),
 *  )
 *
 * A row can be repsented as an array of columns using the '#cells' attribute for matrix_row and matrix_head
 *  $form['table'] = array('#type' => 'matrix');
 *  $form['table']['row1'] = array('#type' => 'matrix_row');
 *  $form['table']['row1']['#cells'] = array(array('#value' => 'r1 c1'), array('#value' => 'r1 c2'));
 *  $form['table']['row2']['#cells'] = array(array('#value' => 'r2 c1'), array('#value' => 'r2 c2'));
 *
 * A pure 2 dimensional array can be used for #rows to combine rows and cells:
 *  $form['table'] = array('#type' => 'matrix');
 *  $form['table']['#rows'] = array(
 *     array(array('#value' => 'r1 c1'), array('#value' => 'r1 c2')),
 *     array(array('#value' => 'r2 c1'), array('#value' => 'r2 c2')),
 *  );
 *
 * If the form value is a constant, like the above example, you can drop the array building:
 *  $form['table'] = array('#type' => 'matrix');
 *  $form['table']['#rows'] = array(
 *     array('r1 c1', 'r1 c2'),
 *     array('r2 c1', 'r2 c2'),
 *  );
 *
 * Finally all of these can be combined and mixed and matched with the following limitations:
 *  * Do NOT use matrix_table '#rows' and explictly named matrix_row, this will cause untold havoc
 *  * Do NOT use matrix_row/head '#cells' and explictly named matrix_cells for the same row, this will cause untold havoc
 *  * Drupal forms API requires name for input form elements. If the matrix_cell is not explictly provided then the matrix
 *  handler for create a name, which is probably not what you want. In this case I recomend using '#name' and setting the CGI
 *  name properly. In almost all cases (submit being the exception) you will want to use the template 'edit[%s]' to build the name.
 *
 * Additional limitations:
 *  * There is no automated way to create spanned rows or columns. I have not coded anything to prevent this but I have not
 *  tested it in anyway.
 *
 *
 * The Drupal theme('table') is used to render the final table. Due to the mismatch between that theme and
 * the way form cde must be hierarchial there is some magic that happens. Bascially data is serialized
 * during rendering and then de-serialized and re-organized when the matrix is finally generated.
 *
 * History:
 *  2005-09-06
 *    * Code was originally based on http://drupal.org/node/51726 which gave me the background I needed to implement my own matrix
 *    * Code updated to allow many ways of building the matrix
 *    * Uses the theme('table') in Drupal for maximum compatibility
 */

define('FORM_MATRIX_DELIMITER', "\n{Br}\n");           // This should be unique enough to not appear in any serialized data

/*
 * Theme the matrix_cell for a form. Returns serialized data for use by matrix_row/head
 *
 */

function theme_matrix_cell($element) {
# drupal_set_message('matrix_cell: <pre>'. print_r($element,1). '</pre>');

  // Organize data so it is suitable for theme('table')
  // Note on #atributes
  //  All HTML attributes are allowed
  //  'field', 'sort' : Supported if this cell is part of a matrix_head, otherwise these will be ignored (handled by theme_matrix_head)
  $rtn = array('data' => $element['#children']);
  if($element['parent'] == 'matrix_head') {
    foreach (array('field', 'sort') as $k) {
      if ($element['#' . $k]) {
        $rtn[$k] = $element['#'. $k];
      }
    }
  }

  # Normal HTML attributes
  if (is_array($element['#attributes'])) {
    $rtn = array_merge($rtn, $element['#attributes']);
  }

  // Return this data as a string so form builder can handle it. Add seperator for easier parsing
  return serialize($rtn) . NODE_MATRIX_DELIMITER;     # A special delimiter that should not appear in where else in the serialized string
}
function theme_matrix_head($element) {
  // Convert children cells back to data elements
  //  - There is no matrix_head specific attributes supported by theme('table') and no mechanism to pass thm
  //  -- 'sort', 'field' attributes can be passed but they must be done via matrix_cell #attributes
  foreach (explode(NODE_MATRIX_DELIMITER,$element['#children']) as $s) {
    $rtn['head'][] = unserialize($s);
  }

  // Return this data as a string, formtable will process it correctly
  return serialize($rtn) . NODE_MATRIX_DELIMITER;     # A special delimiter that should not appear in where else in the serialized string
}

/*
 * Theme for rows. Takes all children element, de-setrializes them and re-serializes it in a rows array
 */
function theme_matrix_row($element) {
  // Convert children cells back to data elements
  foreach (explode(NODE_MATRIX_DELIMITER, $element['#children']) as $s) {
    $rtn['row']['data'][] = unserialize($s);
  }

  //  Support attributes
  if (is_array($element['#attributes'])) {
    $rtn = array_merge($rtn, $element['#attributes']);
  }

  // Return this data as a string so form builder can handle it. Add seperator for easier parsing
  return serialize($rtn) . NODE_MATRIX_DELIMITER;     # A special delimiter that should not appear in where else in the serialized string
}

/*
 * Render the crg_formtable form element. This is a simple element that
 * is table based:
 *  '#type'     => 'matrix'
 *  '#header'   => array or strings OR array of form elements
 *                - Strings are quoted for html enties
 *  '#rows'     => An array for each row where each row is an array of columns where each column is a form arrayA
 *  '#caption'  => Table caption
 *  '#attributes' => Table attributes
 *
 *
 * WARNING: When using the #rows attribute be sure that form elements are explictly named
 * using '#name' of the applicable form cell. In addition you may want to make sure the
 * name is of the form 'edit[%s]' otherwise you may not get the _POST data you are expecting.
 * matrix_cell elements explictly created do not suffer this problem and the cell 
 */

function theme_matrix($element) {
  $header = array();
  $rows = array();

  foreach (explode(NODE_MATRIX_DELIMITER, $element['#children']) as $s) {
    if (! $s) {
      continue;
    }

    $data = unserialize($s);
    if($data['head']) {
      $header = $data['head'];
    } elseif($data['row']) {
      $rows[] = $data['row'];
    } else {
      drupal_set_message("System Error: Unknown matrix element found in final rendering. Original data was:<pre>$s</pre>Decoded to:<pre>". htmlentities(print_r($data,1)). "</pre>");
    }
  }

  return theme('table', $header, $rows, $element['#attributes'], $element['#caption']);
}


/**
 * return custom fields for my new element definitions
 */
function nodeperm_role_elements(){
  $type['matrix_row'] = array('#process' => array('matrix_ensure_cells' => array()), '#tree' => TRUE );
  $type['matrix_head'] = array('#process' => array('matrix_ensure_cells' => array()), '#tree' => TRUE );
  $type['matrix'] = array('#process' => array('matrix_ensure_rows' => array()), '#tree' => TRUE );
  return $type;  
}
/**
 * Given a row element, the only valid children are cells
 * If the child is NOT a cell, wrap it up as if it were one.
 *
 * If '#cells' is present then wrap every element in that array as a cell.
 * #cells and normal hierarhcy are mutually exclusive.
 */
function matrix_ensure_cells($element){

  if ($element['#cells']) {
    $element = array_merge($element, _matrix_cell_array_to_tree($element['#cells']));
    // Remove this element, it is just taking up room now
    unset($element['#cells']);
  }

  // Scan through every non-attribute value and verify it is a matrix_cell
  foreach($element as $key=>$cell){
    if(! is_array($cell)){continue;}
    if($key[0] == '#'){continue;}     # Skip atributes
    if($cell['#type'] != 'matrix_cell'){
      // Expand the cell into a matrix_cell element (matrix_row / matrix_cell / form-data)
      //  - Retain the original key so any form data can build CGI names properly. This is a bit confusing
      //  since the row and the cell have the same key (nested so '[test]' ==> '[test][test]') but there is no programatic reason
      //  to alter this. Any alteration woudl require creating a new key and unsetting the old, which will impact performance
      $element[$key] = array('#type' => 'matrix_cell', $key => $cell );
    }
  }

  return $element;
}

/*
 * Given a matrix element
 * make sure every non-attribute entry in the matrix is a matrix_head or matrix_row.
 * Also support the '#rows' and '#header' attributes for quick simple matrices
 */
function matrix_ensure_rows($element){
  // If the '#rows' is defined then this is an array of [rows][columns]
  if (is_array($element['#rows'])) {
    $row_count = 1;

    // If a '#header' is defined then create an entry for it
    if (is_array($element['#header'])) {
      $element['row_'. $row_count++] = array(
        '#type'   => 'matrix_head',
        '#cells'  => $element['#header'],
      );

      // Remove this element, it is just taking up room now
      unset($element['#header']);
    }

    // Convert row/col hierarchy to tree structure
    foreach( $element['#rows'] as $row) {
      $element['row_'. $row_count++] = array(
        '#type'   => 'matrix_row',
        // An array of 'col_x' entries
        #_matrix_row_cell_to_tree($row),
        '#cells'  => $row,
      );

    }
    // Remove this element, it is just taking up room now
    unset($element['#rows']);
  }

  // Assume a hierarchial structure (tree like)
  // Every non-attribute element of a marix must be a matrix_row or matrix_head. If neither then wrap into a matrix_row
  foreach($element as $key=>$cell){
    if(! is_array($cell)){continue;}
    if($key[0] == '#'){continue;}       # Skip attributes
    if(! in_array($cell['#type'] , array('matrix_head','matrix_row') ) ){
      $element[$key] = array_merge(array('#type' => 'matrix_row'), $cell );
    }
  }

#drupal_set_message('matrix_ensure_rows: <pre>'. print_r($element,1). '</pre>');
  return $element;
}


/* 
 * Given an array of cells (containing scalars or form arrays) return
 * an array of form elements keyed by 'cell_x' where x starts at 1 and
 * increments for each cell
 */

function _matrix_cell_array_to_tree($row) {

  $cell_count = 1;
  $cell_data = array();     // Cell data wrapped in matrix

  // Each element of the header is either a single value or a form API call
  //
  // Note that this function is complicated by the fact that forms API works in a strict hierarchy. This means
  // that the matrix must be wrapped AROUND the form data creating a tree that is two elements deep.
  foreach ($row as $k => $cell) {
    if (is_array($cell)) {
      if($cell['#type'] == 'matrix_cell') {
        // Data is already in a matrix_cell structure so no further action is needed
        $cell_data = $cell;
      } else {
        // Assume form element and wrap it in a matrix
        //  - If the key is not numeric then use the text as the cell name (preserve CGI name), otherwise use the constant 'cell'
        //    - the name of the cell key can be anything since only one element is allowed per matrix_cell
        if (is_numeric($k)) {
          $cell_data = array('#type' => 'matrix_cell', 'cell' => $cell);
        } else
        {
          $cell_data = array('#type' => 'matrix_cell', $k => $cell);
        }
      }
    }
    else {
      // Convert to form element and wrap it in a matrix - the name of the cell key can be anything since only one element is allowed per matrix_cell
      $cell_data = array('#type' => 'matrix_cell', 'cell' => array('#value' => $cell));
    }

    // Caller will append this keyed array to the matrix row type element so every key must be unique
    $data['cell_'. $cell_count++] = $cell_data;
  }

  return $data;
}
 
// vim: ft=php softtabstop=2 tabstop=2 shiftwidth=2